The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.1 The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.2 The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.
Five things stood out to me in the annual report:
- It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
- The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
- We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
- No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
- As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.
In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.Continue reading